Is your cybersecurity vendor transparent about vulnerability fixes?

Written by Carl Windsor, CISO at Fortinet

Cybersecurity products should incorporate robust security at all stages of the product lifecycle and a cybersecurity vendor should offer continuous innovation and improvement over the product’s lifecycle. Regardless of how careful developers are, all software and application code invariably include mistake – some benign, but some leading to vulnerabilities.

The big question is what to do when an error is discovered.

Vendor responses vary widely, from open disclosure to silently fixing without acknowledgement they existed. Such inconsistent response leaves users unknowingly vulnerable and/or scrambling to implement fixes on short notice.

While there are international and industry best practices for creating responsible disclosure processes that align with those efforts, these approaches are most often voluntary rather than mandatory. Ensuring organizations adopt responsible disclosure processes is crucial for a strong cybersecurity posture and protecting users from potential vulnerabilities.

Organizations should insist on working with vendors committed to responsible development and disclosure practices that follow standardized ethical rules and best practices to enhance cyber resilience. Implementing critical and timely fixes, patches, and updates is essential for keeping your organization safe from emerging threats looking to exploit new vulnerabilities.

So, when assessing potential vendors, it's crucial to ask the following three questions.

1. Does your vendor conduct thorough product testing? How is it done?

Testing demands significant resources—time, a skilled workforce, and financial investment. Some providers rush products to market, addressing vulnerabilities only as they are detected, often by clients or third-party researchers.

Vendors may lack the necessary financial, structural, or human resources to execute robust testing. Encountering a vendor that discloses few or no vulnerabilities may stem from these limitations.

At the same time, it is essential to remember that a vendor's vulnerability count also tends to correlate with the scale of its operations and product range. A high vulnerability count doesn't automatically indicate inferior security measures or product quality. The critical factor lies in the processes implemented to ensure product security throughout the development cycle through its end of life.

A trustworthy cybersecurity vendor should embed rigorous internal and external testing into every product development phase. Timely vulnerability detection—before a malicious entity can exploit it—is paramount.

This includes such things as rigorous code review and audit, Static & Dynamic Application Security Testing (SAST & DAST), penetration testing, fuzzing, and similar efforts to detect exploitable vulnerabilities.

2. What is your vendor’s balance between internally and externally discovered vulnerabilities?

Ideally, a vendor's proactive development and testing approach will result in a predominantly internal discovery ratio. This not only signifies a proactive effort to safeguard customers but also demonstrates a vendor’s commitment to robust testing and disclosure.

According to one recent industry analysis, the average software code sample contains 6,000 defects per million lines of code. And research conducted at Carnegie Mellon University’s Software Engineering Institute indicates that about five percent of those defects can be exploited. This translates to roughly three exploitable vulnerabilities for every 10,000 lines of code.

As a result, companies with extensive product portfolios may disclose more vulnerabilities simply due to the sheer size of their code base. That’s why it’s critical to remember that numbers alone don't paint a complete picture.

Larger numbers of vulnerabilities don't necessarily imply inferior security. Instead, they reflect the larger pool of products subject to analysis.

A proactive approach to responsible development and disclosure not only proactively identifies risks but also facilitates the prompt development and deployment of fixes, thereby preempting potential exploitation.

3. How does your vendor handle reported vulnerabilities?

In addition to self-discovery, threat researchers, industry groups, and others actively pursue vulnerability discovery. This is critical in ensuring vulnerabilities are found and addressed before threat actors can exploit them.

Many vendors openly work with outside groups to encourage responsible disclosure that allows fixes and patches to be prepared before vulnerabilities are reported publicly.

Vendors need to engage in an open discussion of responsible disclosure practices. How they work with outside researchers underscores their commitment to the security of their customers and the broader cyber landscape.

You should understand your vendor’s commitment to vulnerability discovery and disclosure. Start by referencing credible sources, such as the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure-by-Design principles or the Cyber Threat Alliance’s (CTA) Vulnerability Disclosure Policy.

According to the CTA vulnerability disclosure policy, “identifying, reporting, and addressing hardware and software vulnerabilities is an essential component of any organization’s cybersecurity program.”

Responsible disclosure ensures stakeholders, such as consumers, are promptly informed of discovered vulnerabilities, enabling preemptive action. Most reputable vendors maintain documented responsible disclosure policies. You should ask to see them.

Typically, the process begins with researchers reporting discovered vulnerabilities to developers through an established process, allowing time for vendor remediation, and in some cases customer mitigation, before public disclosure.

While such processes have undergone considerable debate within the cybersecurity community, with some vendors resisting disclosing vulnerabilities, industry consensus now leans towards responsible disclosure principles that benefit cybersecurity users.

Responsible Development and Disclosure Practices Protect You

Proactive and transparent disclosure empowers consumers with the information they need effectively to safeguard their assets effectively.

Once you understand the basic principles of responsible development and disclosure, look for vendors collaborating with customers, independent researchers, industry bodies, and peers to fortify security measures.

For example, CISA recently introduced a Secure by Design pledge signed by more than 60 vendors, including Fortinet, that incorporates elements of its “radical transparency” principle, including “in the spirit of radical transparency, the manufacturer is encouraged to publicly document their approach so that others can learn.” Has your vendor taken this pledge? Ask your about their internal vs. externally discovered vulnerability ratios.

The majority of reported vulnerabilities should be self-discovered. Remediated issues, whether internal or externally discovered, should be transparently disclosed and responsibly addressed.

When it comes to cybersecurity and protecting your critical digital assets, sunlight is the best disinfectant.

Sponsored and written by Fortinet.